Cookiethief Android malware uses proxies to hijack your Facebook account

Cookiethief Trojan infections are on the rise and Facebook cookies appear to be a prime target.
Written by Charlie Osborne, Contributing Writer

A combination of new modifications to Android malware code has given rise to Trojans able to steal browser and app cookies from compromised devices. 

On Thursday, researchers from Kaspersky said the new malware families, dubbed Cookiethief, use a combination of exploits to acquire root rights to an Android device and then to steal Facebook cookie data. 

Cookies are tiny pieces of data that are collected by websites, online services, and mobile applications in order to track users. This information may be used for marketing purposes -- including the creation of personalized content or ad recommendations -- to track user engagement, or to compile wider datasets on consumers, such as their purchase patterns and interests. 

Cookies are not generally considered harmful, albeit a nuisance and potentially privacy-eroding. However, when they are stored by websites and used to generate unique session IDs to allow users to stay logged in to a service, their loss may be a security risk. 

See also: Critical XSS vulnerability patched in WordPress plugin GDPR Cookie Consent

Threat actors may be able to fool a website into believing they are legitimate account holders, leading to account compromise, data theft, and potentially hijacking. There are security measures that can prevent these scenarios; however, the new malware's bag of tricks attempts to circumvent them. 

Kaspersky isn't entirely sure how Cookiethief has landed on devices already showing signs of infection -- at the last count being roughly 1,000, a figure that is climbing -- but once the Trojan does, the first stage of the attack is to acquire root rights on an Android mobile device. 

In the cases documented by Kaspersky, Facebook cookies are the prime target. The team is keen to emphasize that there does not appear to be a vulnerability in the Facebook app or mobile browsers that permits the theft and malware intrusion. 

The Bood backdoor is installed at the time of infection which connects to a command-and-control (C2) server and shell commands are passed for "superuser" command execution and cookie theft. 

CNET: US must do more to stop cyberattacks, bipartisan commission finds

However, stealing cookies is not enough to gain Facebook account access, as any suspicious activity could result in accounts being automatically blocked. This is where Cookiethief's second stage comes in. 

During analysis, the team found a second branch of the malware with similar coding and the same C2 server connection. This malware launches a proxy on the victim device to make access requests appear legitimate. 

"By combining these two attacks, cybercriminals can gain complete control over the victim's account and not raise suspicion from Facebook," the team says. "From there, the criminals can pose as the victim and take control of their social networking account to distribute undesirable content."

TechRepublic: Biggest trends for 5G as infrastructure to hit $4.2 billion

The content in question is likely spam or the distribution of malicious links. A webpage stored on the fraudster's C2 advertises social network account and messenger distribution services, and so the researchers believe the Trojan could be the result of efforts to spread spam and phishing attacks. 

Kaspersky says that Cookiethief may also be connected to existing Trojans including Sivu, Triada, and Ztorg, which are generally embedded into firmware or deployed through operating system vulnerabilities. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards